Comments on: Encrypting Passwords in Scripts: The Ultimate Best Practice Guide for Powershell

By: Anon

Anon — Mon, 12 Dec 2022 10:22:31 +0000

In reply to pepo.

@Pepo

Except that the password is stored as a secure string (In this case, generated by Get-Credential) which can only be decoded by the Windows account that made it (So you need the secure string, access to his account, and I may be wrong on this part, but the computer it was created on).

Hence why he says he has to regenerate it every 3 months when he changes his password.

While you definitely, wouldn’t opt for something like this in a corporate environment (You would go with more secure methods like certificates for example) this isn’t a terrible way for people at home who want to run some scheduled scripts that require credentials while avoiding plain text.

By: pepo

pepo — Sat, 09 Jul 2022 22:24:11 +0000

This is super funny since powershell is open source, a script.
So having the password encrypted in some file and decrypting it into a string in the script itself, whoever wants to get it just needs to edit the script and echo the variable in the script itself instead of just passing it, unless you encrypt the script itself which i havent seen done since its open source.
The best solution would be to not store passwords in any open source easily edited script.
It should be coded in c++ or something similar and than encrypted in case you must have the password passed in plain text.
Will be harder for the attacker to obtain.